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Abstract 


At  times  it  is  necessary  to  obtain  a  group  decision  from  a  number  of  different 
nodes  over  a  large  network.  Secret  sharing  protocols  allow  a  quorum  q  of 
a  group  of  n  people  to  arrive  at  decisions  by  having  the  quorum  recompute 
a  predetermined  secret,  such  as  an  access  code,  while  preventing  less  than 
q  people  from  gaining  any  information  about  the  secret.  However,  current 
protocols  [6,  5]  are  vulnerable  when  participants  cheat,  for  example  by  giving 
false  information  to  other  participants.  In  this  work,  I  present  a  powerful  uew 
protocol  which  detects  cheaters  immediately  and  halts  the  exchange  before 
any  more  information  is  revealed.  In  addition,  it  prevents  cheaters  from 
gaining  any  information  without  revealing  an  equal  amount  of  their  own. 
This  protocol  will  present  new  paradigms  in  a  variety  of  applications,  such 
as  electronic  balloting  and  secure  file  system  fault  tolerance. 


DTIC  QUALITY  INSPECTED  1 


ioeoaslou  Fop 

ins  r  gra*i 

MIC  TAB 
Unannounced 
Justif  1  cat  Ion. 


DljtrlbJt  log/ 


Availability  fodoa 


[Avail  and/or 

Slat 

Sptolal 

□  □ 


1  Introduction  and  Motivation 


Ill  his  will,  a  man  left  a  safe  to  his  eleven  squabbling  relatives. 

To  each  individual  heir,  he  gave  a  secret.  In  his  will,  he  said 
that  if  eight  or  more  of  his  eleven  relatives  could  put  aside  their 
differences  and  pool  their  resources,  they  could  compute  the  safe 
combination  from  their  individual  secrets.  Otherwise,  the  safe 
would  remain  locked  and  no  one  would  inherit  anything. 

In  order  to  execute  the  will  in  this  parable,  a  special  protocol  is  required 
to  allow  a  group  of  people  to  share  a  secret  such  that  a  quorum  of  them 
can  recompute  the  secret,  yet  less  than  that  quorum  can  gain  no  informa¬ 
tion.  In  addition,  such  a  protocol  requires  the  prevention  of  cheating  so  that 
participants  are  unable  to  extract  more  information  than  they  reveal. 

A  protocol  of  this  nature  is  called  a  (</,  n)  threshold  scheme  or  secret 
sharing  problem.  A  secret  sharing  problem  in  general  has  the  following  char¬ 
acteristics: 

1.  a  secret  S  is  divided  into  n  pieces,  or  shares ; 

2.  knowledge  of  quorum  q  or  more  shares  allows  S  to  be  easily  computed; 

3.  knowledge  of  q  —  1  or  less  pieces  reveals  no  information  about  S. 

In  addition,  it  must  be  assured  that  participants  in  the  protocol  are  unable 
to  cheat.  The  secret  sharing  problem  implicitly  assumes  that  shares  will  be 
pooled  by  the  quorum  to  compute  the  secret.  Various  protocols  have  been 
created  [5,  8,  1].  Some  of  these  include  techniques  to  catch  cheaters  who 
might  put  bogus  values  into  the  shared  pool  of  information.  Even  if  cheaters 
can  be  detected,  a  problem  remains  since  cheaters  can  still  see  the  contents 
of  the  pool  before  revealing  their  own  shares.  A  workable  protocol  must  be 
able  to  ensure  that  cheaters  cannot  see  the  contents  of  the  pool  without  Hrst 
adding  their  true  shares  to  it.  This  would  ensure  that  a  cheating  party  could 
not  gain  any  advantage. 

2  Description 

In  order  to  solve  a  distributed  secret  sharing  problem,  a  (<7,  n)  threshold 
scheme  can  be  implemented.  However,  a  few  extra  constraints  are  needed: 
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4.  Any  party  involved  will  be  unable  to  extract  someone  else’s  share  with¬ 
out  revealiug  its  own. 

5.  Any  party  involved  with  the  protocol  will  be  detected  if  it  cheats, 
and  optionally: 

6.  New  shares  can  be  created  which  can  replace  or  supplement  older 
shares. 

We  assume  that  the  secret  is  bounded  by  a  public  prime  p,  and  q  <  n. 

A  protocol  which  has  all  of  these  characteristics  can  find  application  in  a 
variety  of  settings.  For  example: 

•  Distributed  Decision  Making[\\  Let  the  secret  be  a  key,  for  example  an 
access  code.  The  question  is  whether  the  access  code  is  allowed  to  be 
used.  The  solution:  divide  up  the  key  into  n  shares  and  give  one  share 
to  each  of  the  n  people  involved.  Let  q  be  the  number  of  “yes”  votes 
necessary  to  decide  to  use  the  access  code.  When  someone  decides 
to  vote  “yes,”  she  simply  adds  her  share  into  a  general  pool.  When 
q  shares  are  in  the  pool,  the  access  code  can  be  computed  and  used. 
Otherwise,  the  access  code  will  remain  safely  anonymous. 

•  Hierarchical  Access [6]  Similar  to  distributed  decision  making,  let  the 
secret  be  a  key.  However,  instead  of  giving  one  share  to  everyone, 
prioritize  people  according  to  authority.  In  a  business,  for  example,  you 
could  give  the  CEO  q  shares-the  secret  in  essence.  For  each  member 
of  the  board,  you  could  give  |  shares.  For  each  manager,  |  shares,  and 
so  forth.  Thus,  rather  than  requiring  q  people  to  convene,  all  that  is 
necessary  is  to  gather  people  whom  together  have  q  shares. 

•  Secure  File  Storage  and  Fault  Tolerance{3,  2]  Let  the  secret  be  a  file. 
Let  n  be  the  number  of  disks  available  with  each  disk  receiving  one 
share,  and  let  q  be  the  minimum  number  of  shares  needed  to  re-create 
the  file.  Thus,  in  order  for  an  interloper  to  gaiu  access  to  the  file,  he 
must  gain  access  to  q  disks.  This  provides  much  greater  security  for  files 
than  would  exist  by  simply  keeping  the  file  in  one  central  location  as  it 
requires  an  interloper  to  gaiu  access  to  each  individual  disk.  In  addition, 
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this  method  provides  superior  fault  tolerance  to  a  simple  backup  copy 
scheme.  In  order  for  the  file  to  be  lost,  more  than  n  —  q  —  1  disks 
must  fail.  As  this  method  does  not  require  an  extraordinary  amount  of 
additional  data  over  the  single  backup  scheme,  it  is  doubly  attractive. 


3  Shamir’s  Solution 

The  first  secret  sharing  protocol  was  created  by  Adi  Shamir  [6].  His  protocol 
is  not  protected  against  cheatiug  attacks. 

In  Shamir’s  original  protocol,  a  Dealer ,  the  person  who  knows  the  secret, 
creates  a  polynomial  f(x)  of  the  form: 

f(x)  =  x1  4-  (i,_i x9-1  d - 1-  d-  S  (mod  p) 

where  the  coefficients  a\  are  chosen  independently  from  [0,  p).  S  is 

the  secret  (an  integer  modulo  p)  and  p  is  a  large  public  prime. 

The  Dealer  sends  to  each  participant  C\  . . .  Cn  f{i)  (assume  that  the 
participants  know  their  index).  Hereafter,  we  will  refer  to  f{i)  as  (7,’s  share 
s.  When  q  participants  desire  to  recompute  the  secret,  they  exchange  their 
shares  with  each  other.  We  will  refer  to  q  as  a  quorum.  Once  they  have  q 
shares  S\  . . .  sq,  they  cau  create  q  equations.  To  find  .S’,  they  need  only  solve 
for  S  and  each  a,  in  the  following  system  of  equations: 


/(*»)  = 

•<ii  +  <1,-1  •‘‘i  1  +  • 

■  •  +  a, .si  +  S 

(mod  p) 

fM  = 

•S-2  +  <1,-1. Sj  1  +  ' 

■  •  +  «i-S2  +  S 

(mod  p) 

/K)  = 

+  «</— lSq~X  +  ’  ' 

■  ■  +  fli-s,  +  S 

(mod  p) 

where  p  and  each  /(••»*),. s,  are  knowu. 

To  solve  for  .S  and  «i  . . . i ,  all  that  is  required  is  to  solve  for  q  unknowns 
with  q  equations  in  a  modulo  field.  In  matrix  form  (u  =  Mv.  where  u  and 
M  are  known)  this  is: 


fM  1 
fM 

«r,  or 

g— 1 

s\  ...  .s, 

0  —  1 

•sj  ...  .s2 

1  ' 
1 

<iij— i 

✓  > 

. 

o?-1  a 

1 

«i 

S 

known 

known 

unknown 

All  that  is  needed  to  solve  for  v  (and  thus  .S')  is  a  simple  matrix  inversion 
modulo  p  and  multiplication.  Computation  modulo  p  is  simple  to  do  since 
the  integers  modulo  p  form  a  field  (Z/pZ). 

3.1  Proof  of  Correctness 

Theorem  1  A  participant  with  q  —  1  (or  less)  shares  can  gain  absolutely  no 
information  about  the  secret  S. 

Proof:  Assuming  that  a  participant  does  have  q  —  1  shares,  he  can  create 
the  following: 

f(s i)  =  s?  4-  aq-.\s\~'  4 - h  4-  S  (mod  p) 

/(.s2)  =  s?2  4-  d - 1-  «i*2  4-  -S’  (mod  p) 

/(*,-i )  =  4-  a,-i«£Zi  4- - b  4-  .S'  (mod  p) 

To  find  .S',  he  has  to  solve  for  q  unknowns  with  only  q  —  1  equations.  The 
best  he  can  do  is  create  an  equation  for  .S'  with  one  degree  of  freedom  [7], 
which  gives  no  information  about  the  actual  value  of  .S’.  ■ 

3.2  Weaknesses 

There  are  two  major  weaknesses  in  Shamir’s  protocol: 

1.  Bogus  values  are  undetectable. 

2.  Participants  ueed  uot  reveal  their  true  share. 

These  two  weaknesses  are  distinct,  because  even  if  a  bogus  value  was  de¬ 
tected,  it  would  not  uecessarily  give  any  information  about  the  true  value. 
However,  should  some  participant  A  give  another  participant  B  invalid  in¬ 
formation  after  B  has  already  given  valid  information  to  A,  even  if  B  could 
detect  A’s  bogus  information  A  will  still  have  more  information  than  B.  To 
see  this,  consider  the  following  example: 

Example  1  Assume  that  the  secret  .S'  is  13,  and  that  q  is  3.  Also  assume 
that  the  Dealer  has  created  the  polynomial: 

f(x)  =  x*  4-  llx2  4-  4x  4-  13  (mod  17) 

and  has  distributed  the  following  points  to  Alice,  Bob,  and  Carl: 
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Alice:  (1,12)  Bob:  (2,5)  Carl:  (3, 15) 

Normal  interpolation  would  result  in  the.  following  equations: 

12  =  1  +  a  +  b  +  S  (mod  17) 

5  =  8  +  4a  +  2b  +  S  (mod  17) 

15  =  10  + 9a +  36  +  . S’  (mod  17) 

which  translates  into  the  following  matrix  form: 


■  11  ’ 

'111' 

a 

14 

= 

4  2  1 

6 

5 

9  3  1 

_  s  . 

(mod  17) 


which  naturally  results  in  [a,  6, 6']  =  [11,4, 13]. 

However,  if  Alice  tries  to  fool  Bob  and  Carl,  she  can  submit  (1,8)  instead 
of  her  actual  value.  Bob  and  Carl  will  then  try  to  solve: 


8  =  1  +  a  +  b  +  .S'  (mod  17) 

5  =  8  +  4a  +  26  +  S  (mod  17) 

15  =  10  + 9a +  36  +  . S’  (mod  17) 

which  translated  in  matrix  form  to: 


'  7  ' 

'111' 

a 

14 

= 

4  2  1 

6 

5 

9  3  1 

_  S  _ 

(mod  17) 


which  yields  the  incorrect  result  of  [a,  6, 5']  =  [9, 14,  1].  However,  to  the  eyes 
of  Bob  and  Carl,  everything  is  as  it  should  be  until  the  secret  is  actually  used 
and  is  found  to  be  in  error.  However,  Neither  Bob  nor  Carl  can  determine 
who  cheated,  as  Alice  can  easily  interpolate  the  incorrect  answer  and  show 
that  to  Bob  and  Carl,  demonstrating  that  she  also  has  been  duped  and  does 
not  know  the  true  secret.  Yet  Alice  now  has  both  Bob's  and  Carl's  shares, 
and  can  compute  S  at  her  leisure. 


4  Ben-Or/Rabin  Solution 

Tal  Rabin  and  Michael  Beu-Or  improved  on  the  protocols  of  Shamir  and 
others  [8,  1]  by  introducing  a  zero-knowledge  proof  based  upon  Check  Vectors 
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into  the  protocol  [5].  The  improvement  to  Shamir’s  secret  sharing  protocol 
that  we  are  concerned  about  is  as  follows: 

For  every  participant  A ,  B  the  Dealer  picks  two  positive  non-zero  integers 
1>AB,yAB  €  Ip  and  calculates 

cab  =  ( ^ab)(vab )  +  sA  (mod  p) 

Then  instead  of  just  distributing  a  share  sA  to  A ,  the  dealer  gives  A  sA  and 
Pab  and  B  the  pair  (  bAB ,  cab ) •  This  pair  is  known  as  a  Check  Vector.  It  is 
important  to  note  that  A  keeps  sA  and  yAB  secret,  just  as  B  keeps  ( bAB i  (-'ab  ) 
secret. 

When  a  quorum  of  participants  wish  to  recompute  the  secret,  each  par¬ 
ticipant  A  exchanges  his  information  privately  with  participant  B.  B  then 
uses  his  check  vector  (&aBi  cab)  to  ensure  that: 

*a  +  (&ab)(jmb)  =  cab  (mod  p) 

Thus,  A  cannot  try  to  pass  B  a  bogus  value. 

4.1  Proof  of  Correctness 

We  need  to  show  two  things  to  prove  that  this  protocol  works  as  stated. 
Lemma  2  The  probability  of  A  deceiving  B  is  ^y. 

Proof:  In  order  for  A  to  deceive  B ,  A  must  send  a  s'A  and  y'AB  such  that: 

s'a  +  (bAB)(y'AB)  =  cab  (mod  p) 

However,  there  is  only  one  possible  y'AB  that  will  satisfy  this  equation.  Thus, 
A  has  a  probability  of  to  pick  the  correct  value,  as  he  has  no  information 
about  (6Ab, cab) •  ■ 

Lemma  3  B  has  no  information  from  his  check  vector  {1>ab^  ('ab)- 

Proof:  As  mentioned  in  the  preceding  proof,  for  all  s  there  exists  a  unique 
y  such  that: 

s  +  by  =  c  (mod  p) 

The  converse,  for  every  y  there  exists  a  unique  .s,  also  holds.  Thus,  B  has  no 
information  about  sa ■  ■ 
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4.2  Weaknesses 

The  weaknesses  of  Shamir’s  solution  were  twofold:  participants  could  reveal 
bogus  information  into  the  protocol  and  thereby  prevent  the  secret  from 
being  recomputed,  and  secondly  they  could  give  invalid  information  after 
receiving  another  participant’s  valid  information.  The  Ben-Or/Rabin  proto¬ 
col  detects  fraudulent  values  handily,  eliminating  one  of  the  weaknesses  of 
Shamir’s  protocol.  Unfortunately,  the  other  still  remains,  namely: 

•  Participants  need  not  reveal  their  true  shares. 

As  this  protocol  iuvolves  au  exchange  of  information,  the  following  situation 
is  quite  possible: 

Alice  and  Bob  decide  to  recompute  the  secret.  Bob  sends  his  partial  secret 
to  Alice,  but  after  receiving  both  Bob’s  secret  Alice  decides  to  send  either  a 
bogus  value  or  nothing  at  all.  Thus,  Alice  can  now  compute  the  secret,  but 
Bob  cannot,  nor  is  he  able  to  prevent  Alice  from  doing  so. 

5  Bitwise  Check  Vector  Solution 

The  idea  behind  the  ybc  Vector  Protocol  is  to  use  a  bitwise  variant  of  the 
Ben-Or/Rabin  Check  Vector  solutiou.  The  problem  with  the  Ben-Or/Rabin 
solution  is  that  at  some  point  in  the  protocol  participant  A  will  have  B' s 
share,  but  B  will  have  yet  to  receive  A’s  share.  Termination  of  the  protocol 
at  that  point  will  result  in  A  knowiug  B's  share  while  keeping  his  own  share 
private. 

This  problem  cau  be  resolved  by  exchanging  bits  instead  of  the  full  num¬ 
bers.  Thus,  at  any  point  in  the  protocol,  A  will  only  be  at  most  1  bit  ahead 
of  B,  which  is  uot  a  significant  advantage,  since  exhaustive  search  techniques 
would  allow  an  attacker  to  search  the  space  of  feasible  factors.  A  one  bit 
advantage  translates  into  a  factor  of  two  in  search  time. 

5.1  The  ybc  Vector  Protocol 

To  describe  the  protocol,  we  will  initially  focus  on  the  bit-by-bit  exchange 
from  Alice  (A)  to  Bob  ( B ).  The  full  protocol  between  Alice  and  Bob  occurs 
when  Alice  and  Bob  exchange  bits  interactively  using  the  bit-by-bit  protocol. 
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(Step  1)  Tha  Dealer  sands  s  and  y  to  Alice;  b,c  to  Bob. 
For  each  Sf,]  do: 

(Step  2a)  Alice  sends  sj,-]  and  yi  to  Bob. 

(Step  2b)  Bob  verifies  that  $[,]  -f  6,$  =  C{  (mod  p). 

If  so: 

Bob  sends  an  acknowledgment. 

Alice  returns  to  Step  2a. 

Else: 

Bob  terminates  exchange. 


Figure  1 :  One-sided  ybc  Vector  F’rotocol 

Let  p  be  a  large  published  prime.  Recall  that  p  is  the  upper  bound  on  S', 
the  coefficients  a,_i . . .  a i,  and  shares  .si . . .  sn. 

The  one-sided  protocol  works  as  detailed  in  Figure  1.  The  Dealer  sends 
a  A:-bit  share  s  and  a  vector  y  of  k  integers  to  Alice,  and  two  vectors  b  and  c 
of  k  integers  to  Bob, 


Alice  Bob 

Step  1:  Dealer  distributes  to  Alice  and  Bob. 
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such  that: 


■S[i\  +  kyi  =  Ci  (mod  p) 

where  b  and  y  are  chosen  at  random,  and  .S[t]  denotes  the  ilh  bit  of  .s. 


Alice  Bob 


Step  2:  Alice  sends  a  bit  to  Bob  who  then  verifies  it. 

At  the  end  of  this  protocol,  Bob  will  have  Alice’s  entire  share  s .  and  will 
know  that  s  is  valid. 

Theorem  4  The  probability  of  Alice  deceiving  Bob  on  any  given  bit  is 

Proof:  Without  loss  of  generality,  assume  that  Alice  is  going  to  try  to  fool 
Bob  for  bit  and  remain  honest  for  the  rest.  To  fool  Bob.  Alice  needs  to 
send  Bob  the  pair  (-«.*[,•],  y\)  such  that: 

"’«[<]  +  ky'i  =  c,  (mod  p) 

However,  from  Lemma  2,  we  know  that  there  exists  only  one  y[  that  will 
satisfy  the  equality.  The  probability  of  Alice  picking  the  correct  y\  is  ^-y.  ■ 

The  complete  protocol  is  simply  a  concurrent  extension  of  the  previous  pro¬ 
tocol  between  Alice  and  Bob.  All  participants  privately  transmit  the  first  bit 
of  their  share  along  with  the  appropriate  y j  privately  to  each  other.  They 
then  verify  all  the  bits  they  receive  from  the  other  participants,  and  continue 
to  the  next  bit.  This  is  formalized  in  Figure  2. 

Example  2  Consider  the  full  protocol  rising  three  participants,  Alice.  Bob, 
and  Carl.  The  Dealer  begins  by  creating  the  polynomial  and  subsequently  cir- 
ating  and  sending  the  appropriate  shares  and  y ,  6,  and  c  to  the  participants. 
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(Step  1) 

(Step  2) 
(Step  3) 


(Step  4) 


The  Dealer  distributes  sC]  and  the  yc,c,,bclc}  and  cq a  vectors. 
For  i  =  1  to  k  (where  k  is  the  number  of  bits  in  .s)  do: 

Each  Cj  privately  sends  sCj [,]  and  yc}ct,  to  ('t 

Each  Ci  verifies  sCj(t]  +  {bC]cli)(yc,cli)  =  cCj Cl,  (mod  p). 

If  any  C'i  detects  cheating  by  some  Cm: 

Ci  terminates  the  exchange  with  Cm . 

Ci  notifies  the  other  participants  of  Cm’s  attempt. 
Else: 

The  protocol  progresses  to  the  next  i. 

Each  Cj  solves  for  S  . 


Figure  2:  Full  ybc  Vector  Protocol 


an  detailed  in  Step  l.  For  this  example,  assume  that  the  polynomial  is  of  de¬ 
gree  3,  which  requires  all  three  participants  to  reveal  their  shares  to  recompute 
the  secret. 


Dealer 


Alice  Dob  ( 'arl 

Step  1:  Dealer  distributes  to  Alice ,  Bob ,  and  Carl. 
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When  all  the  participants  decide  to  recompute  the  secret,  they  will  privately 
exchange  information  bit-by-bit,  as  shown  in  Step  2. 


Carl 


Step  2:  Alice,  Bob,  aud  Carl  exchange  shares. 


After  each  bit  is  exchanged,  Alice,  Bob,  and  Carl  will  verify  the  validity  of 
the  bit  using  the  appropriate  check  vectors  as  shoum  in  Step  2.  Again,  the 
calculation  is  done  after  each  bit  is  exchanged  and  uot  after  all  bits  have  been 


exchanged. 


Alice 

+  bBA.yBAi  =  CBAi 

7 

SC[i]  +  bcAiyCAi  =  CcAi 
(mod  p) 


Bob 

•*4(i]  +  hABiVABt  =  CAM 

•*C[i]  +  bcBiilCBi  =  CcBi 
(mod  p) 


Carl 


•<*4[«]  +  b^ciijACi  —  <‘ACi 

-*  t  ^ 

•se[t]  +  bBCiVBCt  ~  ('BCi 

(mod  p) 


Step  8:  Alice,  Bob,  and  Carl  verify  each  others’  bits. 
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Once  all  three  participants  have  received  the  other  shares,  they  each  create 
the  appropriate  equations  and  solve,  as  shown  in  Step  4- 


»A  -“M  *A  s'4  1  1  [  «2  " 

•$8  =  SB  sb  «B  1  «i  ( mod  p) 

.  SC  J  L  SC  SC  sc  1  J  L  $ 

Alice 


’  *A  1  I"  *A  SA  "/t  1  1  [  «2  " 

■‘'B  =  SB  *B  1  «1  (mod  p) 

Sc  _  _  S'c  Sc  SC  1  S 


‘ *a  «a  s*  nr «2 

»%  SB  ’sfl  1  «i  (mod  p) 

.  *c  *c  *C  1  J  L  S  . 


Step  4:  Alice,  Bob,  and  Carl  solve  for  S. 

The  secret  now  being  known,  they  are  able  to  use  it  as  they  see  fit. 

5.2  Space  Requirements 

For  each  X,  Y,  where  X  and  Y  are  distinct  parties  holding  shares,  the  Dealer 
needs  to  create  the  following: 

yxY  The  y  vector  which  X  will  use  to  exchange  his  share  with  Y. 
bxY  The  b  component  which  Y  will  use  to  verify  X's  share. 
cxy  The  c  component  which  Y  will  use  to  verify  X's  share. 


Carl 


Bob 
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Each  participant  (7,  has  three  sets  of  vectors,  each  set  of  length  n  —  1.  Thus, 
each  Ci  requires  additional  space  of  0(3(n  —  1)).  As  there  are  n  participants, 
this  expands  to  0('i(n  —  l)n)  or  simply  0(n2)  extra  space  for  the  entire 
protocol. 

Note  that  each  yxY,  bxY ,  and  cxy  must  be  different  for  each  X  and  Y 
X;  otherwise,  two  participants  could  collude  and  thus  determine  every  y, ,  6, 
and  c,  which  would  enable  them  to  cheat  without  detection. 


6  Conclusions  and  Future  Research 

Secret  sharing  is  unusable  unless  it  can  ensure  that  the  people  involved  with 
the  protocol  are  unable  to  cheat.  The  ybc  vector  protocol  ensures  that  any 
person  involved  with  the  protocol  is  unable  to  gain  any  information  from 
another  person  without  revealing  an  equal  amount  of  his  own  information 
(within  a  constant  factor  of  2).  However,  this  protocol  does  have  the  following 
limitations: 

1.  A  cheater  can  gain  an  advantage  of  one  bit.  Should  a  cheater  decide 
to  take  this  advantage  during  the  middle  of  a  transaction  and  then 
attempt  to  exhaustively  search  for  the  remaining  bits,  then  he  will 
have  an  advantage  of  a  factor  of  2  on  the  other  person.  If  both  parties 
have  equivalent  computational  power,  then  this  is  not  an  advantage. 
However,  this  could  be  a  consideration  if  the  cheater  has  substantially 
more  computational  power  (enough  so  that  he  can  compute  the  secret 
by  brute  force  before  the  victim  is  able  to  do  something  about  it). 

2.  The  memory  requirements  of  this  protocol  are  0(n2).  For  a  reasonable 
n,  this  is  not  uecessarily  burdensome;  however,  for  very  large  n,  this 
can  be  a  problem.  For  example,  this  protocol  could  be  used  with  ease 
to  implement  electronic  balloting  with  a  constituent  of  20,  but  would 
be  clearly  impractical  for  a  popular  vote  with  a  constituency  of  the 
United  States. 

3.  This  protocol  only  allows  for  a  one-time  use  of  a  secret.  Once  the  secret 
has  been  revealed,  all  outstanding  keys  become  useless,  and  there  is  no 
way  to  re-secure  the  secret.  In  the  business  hierarchy  example  presented 
earlier,  the  access  code  would  need  to  be  changed  at  every  use,  and 
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every  person  involved  with  the  protocol  would  need  a  new  share  (as 
well  as  all  extra  data  required). 

Future  research  on  secret  sharing  would  require  that  we  extend  the  protocol 
to  overcome  these  limitations.  Oue  idea  would  be  to  explore  the  use  of  a 
secure  co-processor  [9,  10]  with  the  protocol.  Proper  use  could  remove  the 
need  for  any  form  of  check  vector  requirement  as  well  as  allowing  the  secret 
to  be  re-secured;  if  the  secure  co-processor  is  the  only  entity  that  interpolates 
and  discovers  the  secret,  then  no  participant  will  ever  have  knowledge  of  it. 
This  idea  naturally  scales  to  handle  tamper-proof  smart  cards. 
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A  Notation 

Check  Vector  A  pair  (b,c)  used  to  verify  a  share  .s. 

Dealer  The  persou  who  originally  has  the  secret  and  distributes  the  shares 
to  the  »  people. 

Participant  (A,  B,C,etc.)  A  person  involved  with  recomputing  the  secret. 

k  The  number  of  bits  in  the  secret. 

n  The  number  of  people  involved  with  the  secret  sharing. 

p  A  large  public  prime. 

q  The  quorum  of  people  needed  to  re-create  the  secret  (this  must  be  less 
than  n). 

S  The  secret.  For  simplicity,  we’ll  assume  this  is  an  integer  modulo  p. 

s  (share)  An  integer  value  which,  when  combined  with  other  shares,  re¬ 
computes  the  secret. 

.S[i]  The  ith  bit  of  .*?. 

VaBi  The  ith  component  of  vector  y  which  is  used  by  B  to  verify  information 
from  A. 
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